Hey,
I would like to jail my users and found this(seemingly) great tutorial: http://www.technicalarticles.org/ind..._a_Chroot_Jail
I created a test server to install and get it down so I can do it quickly on my production server. The server is a minimum install from a CentOS 4.4 ServerCD. I have followed the following commands:

each time I try to configure I get more and more dependencies I'm missing. First GCC then zlib and now libcrypto. I have the newest version of openssl and I have the following files in /lib:
libcrypt.so.1
libcrypt-2.3.4.so
libcrypto.so.0.9.7a
libcrypto.so.4(link file to ... nowhere?)

I cant find a way to install this file and I'm sure that even if i can get it installed that there will be more that I will have problems with. Is there a better tutorial that I just cant seem to find? Is there a better way to install the openssh chroot(rpm dl or in a repo somewhere?)?
I don't need anything fancy because I only have a few users, but I'de just like to be able to jail these few users to their home dir and still allow them to login through sftp(i have them all using winSCP)

Thanks,
Adam

p.s. Ive tried jailkit and had a lot of problems with it. I couldnt find any centos/rhel specific install instructions and their website seems outdated with what the commands actually do.

I had exactly the same problem you are encountering, so I devised a method that doesn't require libraries and all that. Users are jailed, and can only use SFTP:

HOWTO: chroot SFTP Only

I hope this helps!

--
Minstrel

It seems promising to me. I am in a drama production and currently we are in the portion called "hell week"( the week before the show) and I'm running sound board so I am very busy but sometime this week or next, I will post with my results.

Thanks,
-Adam

Excellent - I hope it is a more useful solution for you.

And good luck with your production!!

--
Minstrel

Thanks!
I got it to work perfectly. The tutorial you gave was a great help, but still not quite enough. I eventually found solutions to all of my problems. Seeing how hard it was for me, I will write a small article on my website with what I did. Basically it will be a tutorial based off of all the tutorials I followed.

I will post a link here for any that have my same problems.

Thanks for all of your help,
-Adam

That will be great - once you've put together your page, I'll add a link to mine...

--
Minstrel

As I said, I am posting a link to the page I created describing my method for getting it to work.
http://adamsworld.name/chrootjail.php


-Adam

hey guys nice work.

I am just a home user so am just curious to know if you have tested an attempt to breakout like this

http://www.bpfh.net/simes/computing/chroot-break.html

Well this version is using a SFTP only shell which does not allow for an interactive login or command line access.

I just tested this...
First of all you have to use a program that supports SFTP. Login is denied to anything but the SFTP protocol. So in winscp, I created a bash file(tired perl too) and then tried to execute it. (the user doesn't have the ability to run the c compiler). After trying to execute it(right click ->Custom commands->Execute) I got the following error
"Server send command exit status 2" with the description of "Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended)."
As it turns out, you get this error when trying to execute any file(including html files and text files). You get to this error before it even checks if the file is of an executable type.

At the beginning of the page you sent it listed many commands the user would need access to. Using these tutorials, the user doesn't need access to anything other then the sftp shell

It seems to me that it cannot be broken using this method. I'm no expert though.

-Adam

thanks adam

I would tend to agree with Adam on this - the 'sftpsh' shell *should* prevent use of anything other than legitimate SFTP commands. If somebody does find a way to break out of the chroot'd SFTP system I put together, I'd very much like to hear about it so I can find a way to prevent it!

--
Minstrel

Since version 4.9 of OpenSSH, this is now a built-in feature. I have written up the method I've used to migrate to it, in case it's of use to others:

http://www.minstrel.org.uk/papers/sftp/builtin.html

Nice not to have to custom-code each time there's an update to OpenSSH!

Hope this helps.

--
Minstrel
http://www.minstrel.org.uk/

I also have updated my tutorial.
http://adamsworld.name/chrootjail5.php

My tutorial is designed for redhat based OS's.

-Adam

Adam,

Your tutorial has helped me immensely but I have a few questions for you... You set the usershell to /bin/false. Why is this or can I use another shell?

Also, I seem to be getting the error:

"fatal: bad ownership or modes for chroot directory component "/""

You chown directories to root:root but that is not possible on my system (Mac OS 10.4.11). The best I can do is root:admin.

Shell can be anything, really, as the user shouldn't be able to gain a shell, but /bin/false means they can't do anything if they manage to. As for the directory ownership, root:admin should do the job - it's the root ownership that's most important.

--
Minstrel